Tom Luing, CFP®,EA - Professional Issues Committee Member
We, as the FPA MN Professional Issues Committee, have discussed and written extensively on cybersecurity issues this year. This is a hot topic currently for a number of reasons: 1) the threat of cybersecurity breaches increases almost daily and 2) it is a hot topic for our industry regulators and their exams. Whether you are a financial planner, an insurance agent, a securities broker, a tax preparer, or a vendor providing products to any of the above, we’re confident you will be scrutinizing more closely your need to develop cybersecurity policies and procedures.
As a representative of my broker dealer, I recently attended an update on cybersecurity measures put on by Professional Issues Committee colleague Keith Loveland. From that meeting, I learned a number of new things about cybersecurity that I thought I would share.
First, a new term – cyber resilience.As we become more aware of what is happening in the cybersecurity world, two things are evolving: it is becoming more widely accepted that 1)we may not be able to stop cybersecurity attacks as the leap frog game is played between the good guys and the bad guys and 2) that since many financial firms will be subjected to cybersecurity attacks, the focus is becoming more on the ability to recover from that attack.
So while past emphasis has been to focus on preventing the attack, a new focus is evolving as to how to survive an attack as well. In regards to this focus, I was amazed that the average time it takes for a firm to realize they have suffered a cybersecurity breach is 270 days or 9 months. It is amazing that we can have people in our data systems and not know about it for that long.
Our regulators have been focusing on developing standards for dealing with this industry threat. The National Institute of Standards (NIST) has developed an international partnership of small and large organizations to develop an NIST Framework for Improving Critical Infrastructure Cybersecurity. This framework can be used to identify and prioritize actions for developing and implementing a cybersecurity policy and process. This framework focuses on five key functions for a cybersecurity policy:
- Identify –develop the organizational knowledge to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – develop and implement procedures to safeguard consistent delivery of critical infrastructure services.
- Detect – develop and implement the necessary procedures to identify whether a cybersecurity breach has taken place. Examples might be: anomalies and events; security continuous monitoring, and detection processes.
- Respond – develop procedures for responding to a cybersecurity event. Some examples here might include: response planning, communications, analysis, mitigation, and improvements to processes.
- Recover – supports timely recovery and reduces the impact of an event should it occur. Examples here might include: recovery planning, improvements, and communications.
The suggestion was also made that these cybersecurity policies be developed in conjunction with business continuity and disaster recovery plans that your firms might already have in place. Further updates on this framework can be found at www.nist.gov/framework/.
Finally, you may also want to review the liability insurance for your business. There a number of companies that offer policies that cover cybersecurity breaches.